Setting up local tunneling allocates a listener port on the local client. Whenever a connection is made to this listener, the connection is tunneled over Secure Shell to the remote server and another connection is made from the server to a specified destination host and port. The connection from the server onwards will not be secure, it is a normal TCP connection.

Figure 9.1 shows the different hosts and ports involved in local tunneling.

Figure 9.1. Local tunneling terminology

For example, when you issue the following command, all traffic coming to port 1234 on the client will be forwarded to port 23 on the server. See Figure 9.2.

$ sshg3 -L 1234:localhost:23 username@sshserver

Figure 9.2. Simple local (outgoing) tunnel

The forwarding address in the command is resolved at the (remote) end point of the tunnel. In this case localhost refers to the server host (sshserver).

If you have three hosts, for example, sshclient, sshserver, and imapserver, and you forward the traffic coming to the sshclient port 143 to the imapserver port 143, only the connection between sshclient and sshserver will be secured. The command you use would be similar to the following:

$ sshg3 -L 143:imapserver:143 username@sshserver

Figure 9.3 shows an example where the Secure Shell server resides in the DMZ network. The connection is encrypted from the Secure Shell client to the Secure Shell server and continues unencrypted in the corporate network to the IMAP server.

Figure 9.3. Local (outgoing) tunnel to an IMAP server

By default, the server allows local tunnels to all addresses for all users. To restrict tunneling for all or for specified users, see Restrictions to Tunneling.

Cryptomining with the SSH protocol: what big enterprises need to know about it

Cryptomining malware is primarily thought of as targeting desktops and laptops and is used to hijack system resources to mine cryptocurrency. Read more

SLAM the door shut on traditional privileged access management

Did you know that something as trivial-sounding as granting access for your developers or third parties to a product development environment can throw a gorilla-sized monkey wrench into your operations and productivity? Read more

We broke the IT security perimeter

Everyone understands the concept of a security perimeter. You only gain access if you are identified and authorized to do so. Read more

SSH Webinar:

The evolution of 3rd party access – four use cases

Join Ubisecure and SSH.COM webinar on Tuesday 22 January to learn how cloudification has changed the rules of mission-critical access.